Fred,
The aphorism that I wrote in my message to Peter concerning how one looks at something affecting what they're looking at, could have as easily been applied to security, as well. When I began writing this reply I was set to agree with you, unequivocally, and I still do in part. What altered my view, however, or "the way I looked at" this matter, was a brief exchange that I had with Tom Henderson, a friend and former Compuserve Forum co-moderator of mine during the mid-Nineties.
Tom had to remind me of the other sides of the PSTN security issues that, for some reason, tend to circumvent our notice during discussions such as these.
PSTN cracking, better known as Phone Phreaking, which also extends to end user PBX and station systems, as well, has long been an issue that has resulted in untold billions of dollars of fraud over the years on both wireline and wireless/cellular/pcs platforms, just as cable theft has, not to mention other unholy and evil deeds that have resulted in sabotage and denial of service. Those acts were and continue to be directed not only against the established telephone companies but to end user organizations and private citizens, as well. That we don't hear a lot more about these incidents, as we do about the Internet attacks, is largely due to their nature, and possibly due to the greater ease with which victims can cover them up.
No financial institution or any other form of business likes to broadcast to its shareholders and customers that they've been had, and that goes for breaches in Internet security as well as PSTN security. But there are some key differences between those two areas of infractions that account for levels of exposure they each receive. One difference stems from the ease with which Internet attacks can take down (and have taken down) certain types of 'Net-dependent businesses. Recall E-Bay, Yahoo and others that were stuck in the mud for hours or days after DDOS sprees?
Another difference is the amount of noise that is generated when major thefts occur. In many cases, especially when an institution is the custodian of confidential data, disclosures of theft are mandatory, as opposed to the discretionary stance that many tend to take when their losses are proprietary ones, resulting from billing fraud or industrial espionage, as just two examples.
Yes, there are instances when those losses must be reported, too, but as we all know they are not. If no one is immediately affected outside of the comptroller's office, it means that no one immediately knows about it, either.
Getting back on point, if a phone phreak is able to penetrate ChoicePoint's PBX through its back door by using DISA (Direct Inward System Access) codes or modern-day equivalents, and the evil-doer is effectively able to place several thousand international calls over the victim's network free of charge over a period of time before being found out, then it's usually at the company's own election whether it discloses the breach to the authorities and others. Sometimes they do, and probably just as many times the company may seek to remedy the issue through creative accounting.
If, on the other had, the same company finds that its data bases have been compromised resulting in the loss of thousands of personal ID records, or sensitive information that could be tied to national security, say, then it has no choice but to fully disclose those losses to all stakeholders who happen to be affected or involved, which usually results in an account leaking out to the press, as well.
I initially e-mailed Tom to seek his permission to reprint several excerpts from his Defcon-related account in his newsletter, which he routinely publishes from his company, Extreme Labs, Inc. - extremelabs.com, since it is a paid subscription service.
My intended use of those excerpts was to attach them to my response to you (Fred). His reply to me follows:
------ Begin TH:
Frank, I'll add (for publication on your forum) the following:
A lot of hackers got started doing phone hacks, on the supposedly 'secure' PSTN. Take 2600 Magazine, for example (bonus points for knowing what the '2600' stands for). It was phone phreaker's book, and evolved along with the maturation and populist movements of the PC industry. It still, to this day, has exotic looking payphones on its inside back and back covers. It's a gem. Only those entirely sure of the Rapture need not subscribe. Is your business in there this month?
What silly madness of your company's telephony or communications infrastructure will be held up in 2600 this month for all to pinch their nostrils while laughing at?
But it's not about theft. It's not about cracking. It's about curiosity and probing. It's about knowing scams, not to use them, but to be wary of them and occasionally to laud the ingenuity that people go to when they're looking for cracks.
It's a superficial observation to say that QoS isn't do-able. The problem with all data systems is that they were built on synchronous, asynchronous, but not Isochronous communications. As payloads in broadband increase, QoS doesn't become the problem, it's just a plumbing issue. Visionary cities like Loma Linda California now mandate FTTH and FTTB, along with a methodology of what the IDF looks like. It's the law there, now. And Verizon, where the economics work (and certainly not if they don't) will put fiber into your building or home.
And they arrive daily, a dozen lawyers in tow, to US congressional offices to ensure that they retain their every-reforming monopolies.
The results have given us the most backward PSTN and mobile phone infrastructure in the world. We're a laughing stock. Say the phrase 1xRTT in Stockholm and they roll on the floor in laughter. All this is happening while the three remaining telcos of note re-cast the PSTN as VoIP so that they can thwart state regulation. To them, Internet is good, and PSTN is bad-- because they don't want to spend the money complying with each and every regulatory body in the states that have them.
What's old school and ruinous is/are the telcos that can't abstract services competitively from the infrastructure that they literally stole from the American people. Their destiny is to constantly battle data infrastructure providers because indeed they both are communications providers, and communications is both a necessity, a service, and a luxury depending on the manifestation.
PSTN secure? Hah. Tell me another joke. Watch your phone bill.
Ok, just kidding about the phone bill. Tom
------ End TH
----------------------------------------------------------------------------
My original reply to you, Fred, follows:
---
Hi Fred,
You stated:
".. the Internet is insecure by design. The PSTN is secure by design. That's really all that matters."
I think your statements are in rapport with my opening on this topic, where I stated, "The PSTN sailed along for over a hundred years without the magnitude of security breaches, even if measured per capita, that we see today on the Internet."
Tom Henderson of Extreme Labs, Inc. <http://www.extremelabs.com> is a friend and a one-time co-moderator of mine from the hey days of Compuserve. In a recent piece that he wrote for his subscription service newsletter he covered his experiences and observations at the recent hacker fest, Defcon. The following excerpts are from that newsletter. I share them with you and the board with Tom's permission:
"Cisco's major security problems became the news fodder of the day. It
appears as though Cisco's methodology for security fixes has been
revealed, and their IOS bugs are the talk of the town. If you knew
something about how Cisco’s Internet Operating System (IOS) works, and a
bit about assembler pcode, then you were part of the way to
understanding the chinks in Cisco’s armor. These chinks are also in the
armor of the Internet, where Cisco holds a dominating market share, and
has since the beginning of the Internet. Break Cisco, and you can bring
down the Internet. Scary, isn’t it? Until now, Cisco has stayed far
ahead of crack fears. Now it isn’t so, an embarrassment for Cisco. This
was a 6.5 Internet earthquake, sans tsunami."
[...]
"I also saw, by way of steep criticism, passionate people dragging
vendor’s names through the mud because these vendors are criminally
negligent in their product’s construction from any number of different
perspectives. I wonder if the SEC should get involved, or that nice NY
attorney general."
[...]
"All agree that something needs to be done, but in the absence of
leadership, there's not much short-term hope. And, as hackers and
crackers and security people make $$ from the maladies of others,
there's not much hope for organized efforts to appear soon. It reminds
me of the fact that the computer repair and the computer hardware
industry segments are nearly totally disassociated from each other; the
constant drop of hardware costs only prevents quality feedback loops
from appearing. QA info only appears to make a difference in warranty
service. Now that we throw away PCs when they no longer function (for
either hardware problems or corrupt software), the problem gets worse
and worse. There'll be no convictions, and be no jail terms for bad design."
---
I post Tom's views in part because they parallel my own on this topic,
although I think I would have posted them anyway as a means of
illumination once having read them, in any event.
FAC
frank@fttx.org |
